Finding harmony with the client-side: A playbook for taking back control
09 Mar 2023
Cloud Security Theatre 1
Modern websites are powered by a mashup of third-party code, which expands their attack surface and creates a security gap. The client-side has traditionally been very hard to control due to the lack of visibility, and attackers are taking advantage of this to leak sensitive data like PII and payment data, which are handled on the client-side. In this talk, we propose to identify the reasons why it is important to have mechanisms to control the client-side. Then, we'll go through the most common practices that are being used today and why they are not effective in some cases. Finally, we'll deep dive into the mechanisms that every company should put in place in order to secure their users' data from web supply chain attacks and improve their security posture, on the client-side, by showcasing real-world cases. Bullet Points: - Understand how software supply chain attacks work and introduce the concept of client-side blind spot. Explain why companies are using more third-party vendors on their websites, introduce the concept of the client-side blind spot and show actual data on the amount of 3rd party scripts being used. - What are the most common practices being used and their limitations. Talk about WAFs, CSP, etc., and introduce the principle of least privilege. Use the use practical case of a first-party script that misbehaved. - Explain the steps to gain back control over the client-side. First, the most important step is to gain visibility into the client side. For this, it's important to have a real-time inventory of all the scripts running on the website pages and understand the risk that each of these scripts poses, with special relevance for sensitive data exposure. Then we need to define what live (current) scripts can and can't do on the website through behavioural control (what forms they can access, what changes they can make on the page, and what information they can see and send to external domains (and to which domains). After the control, we need to be constantly aware of the changes affecting these scripts through constant real-time alerts. It's also important to understand what these changes were and what the best course of action to take Finally, we must learn and report on the issues that happened, what were the options to mitigate the risks and what actions were taken, and why. This will allow us to understand the impact of our actions in terms of the decrease in risk.